Re: [BEHAVE] (no subject)

"Senthil Sivakumar (ssenthil)" <> Wed, 19 June 2013 14:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD56D21F9CE0 for <>; Wed, 19 Jun 2013 07:38:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.38
X-Spam-Status: No, score=-10.38 tagged_above=-999 required=5 tests=[AWL=0.219, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VPRBq-itRcKy for <>; Wed, 19 Jun 2013 07:38:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 61B3921F9CC2 for <>; Wed, 19 Jun 2013 07:38:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4220; q=dns/txt; s=iport; t=1371652694; x=1372862294; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=ms/pvdAmlEadfk+25NL8nicir1CLDhgAcbPMWx1hMjc=; b=P8i6TKjb4gU515jBY5J3Bm4Rvln3dLYAbTbKJNRZPSMU4X/Yaw2eMbtR C1FvdQZcpdN/NeCLAnPLU4t38RY2Tt7mpvm8vtNI5tKrY9i2StoClpLzV FY65QJfUITU62kzQz2mLK15orEA2mMQpTjFsuJIiNusFrc1C/MywdSp6d I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.87,896,1363132800"; d="scan'208";a="224836098"
Received: from ([]) by with ESMTP; 19 Jun 2013 14:38:13 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r5JEcDBo007285 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 19 Jun 2013 14:38:13 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Wed, 19 Jun 2013 09:38:13 -0500
From: "Senthil Sivakumar (ssenthil)" <>
To: "" <>
Thread-Topic: [BEHAVE] (no subject)
Thread-Index: AQHObFmAgdHlRyxSR02wAQ7tdo7juJk8QUUAgADsCAA=
Date: Wed, 19 Jun 2013 14:38:12 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Behave <>
Subject: Re: [BEHAVE] (no subject)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Jun 2013 14:38:19 -0000

Hi Ivan,

On 6/18/13 4:33 PM, "ivan c" <> wrote:

>Hi Senthil,
>Thanks for your message. You might want to read
>It features the list of updates to the existing RFC, adapted to new usage
>contexts such as CGNs, mobile networks, etc.

I have reviewed this draft and we had a bit of discussion around these
topics in the last IETF.
>On Tue, 18 Jun 2013 19:24:50 +0000, "Senthil Sivakumar (ssenthil)"
>>>Are you talking about UDP port preservation?
>> Both TCP & UDP. The latest implementation in some router families is not
>> to have port preservation
>> (for both TCP & UDP).
>The discussion here is not about UDP. UDP port preservation should
>generally not be implemented by NATs, as it could generate conflicts when
>internal hosts using the same local port, each with a session to the same
>endpoint. This would break end-to-end connectivity in rare cases, as there
>is no fallback mechanism (as opposed to TCP).
>To be clear, the requirements are as follows:
>* NAT SHOULD NOT use UDP port preservation
>* NAT SHOULD use TCP port preservation
>Here are some NATs that have been tested and implement TCP port
>in the UK:
>BT (British Telecom) (house-made gateway) - number 1 provider
>Virgin (house-made gateway) - number 2 provider
>Sky (Sagemcom) - number 3 provider
>in France:
>Orange (Livebox) (house-made gateway) - number 1 provider
>Free (Freebox) (house-made gateway) - number 2 provider
>SFR/Neuf (Neufbox) (house-made gateway) - number 3 provider
>This covers the overwhelming majority of subscribers.

Ok thanks for the pointers. The NATs that I was talking about were
enterprise/SP NAT boxes,
not the home routers. Many of the CGN implementations don¹t do port

>We have the same results in Spain in Italy.
>Linksys E1200, latest generation.
>Netgear, various models
>It is difficult to find any NAT that does *not* implement TCP port
>preservation in these countries.
>If you think some gateway implementations have dropped TCP port
>preservation, you need to substantially support your claim by a reference.
>We are not aware of anything that would support it.
>> Most of the NATs that I know don¹t do port overloading any more.
>> RFC 5382 also says,
>> REQ-7:  A NAT MUST NOT have a "Port assignment" behavior of "Port
>>       overloading" for TCP.
>This is the purpose of the new draft
> , to
>make the use case for port overloading, as it is needed in CGNs. It wasn't
>needed nearly as much in 2005 when RFC 5382 was first written.
>REQ-7: A NAT MUST NOT have a "Port assignment" behavior of "Port
>overloading" for TCP
>is too stringent, as proved in my earlier message and in the
>draft-ietf-behave-requirements-update-00, and not needed.

There are two distinct things here:
1. Port preservation is a must
2. Port preservation requires port overloading to work deterministically.

I don¹t have a lot of problem with an implementation choosing to do port
preservation if it can.
I do have issues with doing port overloading. Two reasons again.
1. Port overloading requires the destination information to be tracked by
NAT devices. That kills scalability.
2. Port overloading causes packets to be dropped if two connections going
to the same destination, causing indeterministic behavior.
Maybe as Rajiv suggested in another thread, maybe we need a CPE NAT
requirements document where the above requirement might be placed.
But I don¹t know what good it is, if there is another CGN on the headend
that would not honor the port preservation. As I said, in my earlier
Email, the CGNs can now have a pre-allocated set of ports (like 1k
ports/sub), where there is no way to do port preservation.


>Port overloading is perfectly acceptable when the remote endpoints are
>distinct, as it preserves the uniqueness of the 5-tuple.
>As a result, REQ-7 must be corrected.
>_Ivan Chollet_